8.9 KiB
(importing-resources)=
Importing resources
There are a number of scenarios in which it is necessary to import existing resources for management by Pulumi:
- Migrating manually managed resources to an infrastructure-as-code solution;
- Migrating from other infrastructure-as-code platforms to Pulumi;
- Moving resources between Pulumi stacks in cases where e.g.
pulumi state moveis not sufficient.
Pulumi offers two approaches for importing resources: the import resource
option and the pulumi import command. At a minimum, importing a resource
involves adding the resource's state to the destination stack's
state. Once the resource has been added to the stack, the
Pulumi CLI is able to manage the resource like any other.
The import resource option
The import resource
option accepts the
ID of an existing resource whose state should be
and imported into the stack.
Importing a resource using the import resource option requires that the
desired state described by the Pulumi program for a resource being imported
matches the actual state of the resource as returned by the provider. More
precisely, given a resource R of type T with import ID X and set of inputs
(as specified in the program) Iₚ, the engine performs the following sequence
of operations:
- Fetch the current inputs
Iₐand stateSₐfor the resource of typeTwith IDXfrom its provider by calling the provider's method. If the provider does not return a value forIₐ, the provider does not support importing resources and the import fails. - Process the
ignoreChangesresource option by copying the value for any ignored input property fromIₐtoIₚ. - Validate the resource's inputs and apply any programmatic defaults by passing
IₚandIₐto the provider's method. LetIₖbe the checked inputs; these inputs form the resource's desired state. - Check for differences between
IₖandSₐby calling the provider's method. If the provider reports any differences, the import either succeeds with a warning (in the case of a preview) or fails with an error (in the case of an update).
If all of these steps succeed, the user is left with a definition for R in
their Pulumi program that matches that in the stack's state exactly.
:caption: Importing a resource using the `import` resource option
:zoom:
sequenceDiagram
participant LH as Language host
box Engine
participant RM as Resource monitor
participant SG as Step generator
participant SE as Step executor
end
participant P as Provider
LH->>+RM: RegisterResourceRequest(type, name, inputs, options)
RM->>+SG: RegisterResourceEvent(type, name, inputs, options)
SG->>+SE: ImportStep(inputs, options)
SE->>+P: ReadRequest(type, id)
P->>-SE: ReadResponse(current inputs, current state)
SE->>+P: CheckRequest(type, inputs, current inputs)
P->>-SE: CheckResponse(inputs', failures)
SE->>+P: DiffRequest(type, inputs', current state, options)
P->>-SE: DiffResponse(diff)
SE->>-RM: Done(current state)
RM->>-LH: RegisterResourceResponse(URN, ID, current state)
pulumi import
pulumi import is a
newer method of importing resources into a stack that also generates program
code for imported resources. pulumi import accepts a list of import specs,
where each spec comprises at minimum a type token, name, and
ID, but may also specify a parent URN, provider reference, and
package version. Unlike the import resource option, pulumi import does not
insist that the desired state of the resource in the Pulumi program matches the
actual state of the resource as returned by the provider, since it is capable of
generating code to match the actual state. Given a resource R of type T with
import ID X and an (initiall empty) set of input properties Iₚ, the engine
performs the following sequence of operations:
- Fetch the current inputs
Iₐand stateSₐfor the resource of typeTwith IDXfrom its provider by calling the provider's method. If the provider does not return a value forIₐ, the provider does not support importing resources and the import fails. - Fetch the schema for resources of type
Tfrom the provider. If the provider is not schematized or ifThas no schema, the import fails. - Copy the value of each required input property defined in the schema for
TfromIₐtoIₚ. - Validate the resource's inputs and apply any programmatic defaults by passing
IₚandIₐto the provider's method. LetIₖbe the checked inputs; these inputs form the resource's desired state. - Check for differences between
IₖandSₐby calling the provider's method. If the provider reports any differences, the values of the differing properties are copied fromSₐtoIₚ. This is intended to produce the smallest valid set of inputs necessary to avoid diffs. This does not use a fixed-point algorithm because there is no guarantee that the values copied fromSₐare in fact valid (state and inputs with the same property paths may have different types and validation rules) and there is no guarantee that such an algorithm would terminate ( bridged Terraform providers, for example, have had bugs that cause persistent diffs, which can only be worked around withignoreChanges).
If all of these steps succeed, the user is left with a definition for R in
their state. The Pulumi CLI then passes the inputs Iₚ stored in the state to
the import code generator. The import code generator converts the values present
in Iₚ into an equivalent PCL representation of R's desired state,
then passes the PCL to a language-specific code generator to emit a
representation of R's desired state in the language used by the destination
stack's Pulumi program. The user can then copy the generated definition into
their Pulumi program.
:caption: Importing a resource using the `pulumi import` CLI
:zoom:
sequenceDiagram
participant PI as pulumi import
participant CV as PCL converter
participant LH as Language host
box Engine
participant ID as Import driver
participant SE as Step executor
end
participant P as Provider
PI->>+ID: Import(specs)
ID->>+SE: ImportStep(inputs, options)
SE->>+P: ReadRequest(type, id)
P->>-SE: ReadResponse(current inputs, current state)
SE->>+P: CheckRequest(type, inputs, current inputs)
P->>-SE: CheckResponse(inputs', failures)
SE->>+P: DiffRequest(type, inputs', current state, options)
P->>-SE: DiffResponse(diff)
SE->>-ID: Done(current state)
ID->>-PI: Done(current state)
PI->>+CV: Convert(current state)
CV->>-PI: Done(PCL definitions)
PI->>+LH: GenerateProgram(PCL definitions)
LH->>-PI: Done(generated resource definitions)
Limitations and challenges
The primary challenge in generating appropriate code for pulumi import lies in
determining exactly what the input values for a particular resource should be.
In many providers, it is not necessarily possible to accurately recover a
resource's inputs from its state. This observation led to the diff-oriented
approach described above, where the importer begins with an extremely minimal
set of inputs and attempts to derive the actual inputs from the results of a
call to the provider's method.
Unfortunately, the results are not always satisfactory, and the relatively small
set of inputs present in the generated code can make it difficult for users to
determine what inputs they actually need to pass to the resource to describe
its current state.
A few other approaches might be:
- Emit no properties at all and instead just output appropriate resource constructor calls. This will almost always emit code that does not compile or run, as nearly every resource has at least one required property.
- Copy the value for every input property present in a resource's schema from its state. This risks emitting code that does not compile due to differences in types between inputs and outputs, and also risks emitting code that does not work at runtime due to conflicts between mutually-exclusive properties (which are unfortunately common for Terraform-based resources, for example).
It is likely that some mix of approaches is necessary in order to arrive at a satisfactory solution, as none of the above solutions seems universally "correct".